International Cyber Security at the UN: Between Doom and Hesitant Optimism

06/11/2013 07:50 pm ETUpdated
Aug 11, 2013

According to an Internet Complaint Report compiled by the Federal Bureau of Investigation (FBI) from 2010, a total of 14,689 offenses related to cyber crime were filed in the state of New York. The top three crimes were the non-delivery of merchandise despite payment, identity theft, and auction fraud on Internet portals, such as eBay. The financial loss in 2010 for the state of New York alone was over twenty-six million dollars.

Congruent with three, week-long sessions by the UN Group of Governmental Experts (GGE) on cyber security issues, the German embassy to the UN in cooperation with the EastWest Institute hosted an expert panel, entitled Cyber Security - Uncharted waters for the UN. Yes, the group maintained, international law and even the UN Charter apply to cyberspace. However, the path to consensus among member states on a global framework will be, not surprisingly, long and arduous.

The terms cyber terrorism, cyber crime and cyber security, seem insufficiently clear to describe to the general public a scenario that might more likely appear in a scene from a chilling science fiction movie. The German-based Global Economic Symposium from 2013 commented on this dilemma, "Sadly, public ignorance of the threats of cyber crime is all too frequent."

The Center for Strategic and International Studies (CSIS) defines cyber terrorism as, "The use of computer network tools to shut down critical national infrastructures (e.g., energy, transportation, government operations) or to coerce or intimidate a government or civilian population."

The US Federal Bureau of Investigation (FBI) generally sums up cyber crime as the following offenses: computer and network intrusions such as bots, worms, viruses, spyware, malware, hacking and identity theft.

The International Telecommunication Union defines cyber security as a "Collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyber environment, including organizations' and users' assets."

Meanwhile global news stories on cyber security and the breach thereof by committing cyber crimes, are becoming more frequent and therefore are increasingly centered in the perception of the public eye.

With the growing concern of these generally unpredictable threats, what options does the international community have to prevent cyber attacks from occurring? How realistic is it to achieve international consensus on the matter, and what institution should be the hub for international law enforcement regarding the Internet? And is cyber terrorism a real threat after all? Peter Warren, chairman of the Cyber Security Institute in the UK explained in a recent interview that terrorist networks that seek to carry out an attack over the Internet, "are running a risk to be tracked and found because such organizations are quite heavily monitored by the intelligence agencies all over the world." Warren stated further that the likelihood of a capable state carrying out an attack against another state seems more likely.

Examples of cyber warfare (or cyber conflict) already exist in many forms. In addition to ongoing cyber tensions between the US and China, there was the extensively documented cyber attack launched by the U.S. and Israel aimed to substantially hurt Iran's nuclear program in 2009. The latter operation, known as the Stuxnet computer worm, was deemed by NATO as "an act of force" and likely "illegal under international law."

There is also last week's leaked Presidential Policy Directive 20. According to The Huffington Post's author Gerry Smith, it represents "the latest sign that the US is preparing for cyber war."

The panel assembled by the German embassy and the EastWest Institute was comprised of leading cybersecurity experts, represented three different variations of national interest and ideologies. They found an interesting balance between doom and cautious optimism regarding future cyber security solutions.

Sandro Gaycken, researcher at the Institute of Computer Science at the Freie Universität in Berlin, Germany, unsurprisingly represented the heavy-hearted fraction. Gaycken, also a bit of a moral finger-wagger, preferably lectured his US-American colleague James Lewis from the Center for Strategic and International Studies in Washington about US-American shortcomings related to regulatory policies and an almighty Internet industry, supposedly impossible, admittedly difficult to regulate.

Cherian Samuel, representing the Institute for Defence Studies and Analyses in New Delhi, India, and also the largest Internet community in the world, voiced concerns that the U.N. might not be "fast enough" in addressing the global security matters related to the Internet. "We are moving on a very slow scale, while the problems are expanding much faster," he said. Lewis reminded the audience that while U.N. processes indeed tend to take some time, he believed in the possibility of positive outcomes, specifically referencing the arms trade treaty (ATT) process, a global effort to regulate the international arms trade that had started back in 1997. "I'm very optimistic. It will take years, but we will get there," Lewis commented.

The panel agreed, with constraints, on basing global cyber security on the U.N. charter and international law. A recent U.N. study, titled "Comprehensive Study on Cyber Crime" from February 2013, is addressing the legal framework in order to put sufficient, international regulation in place, with the following key results:

The technological developments associated with cybercrime mean that - while traditional laws can be applied to some extent - legislation must also grapple with new concepts and objects, such as intangible 'computer data,' not traditionally addressed by law.
Legal measures are crucial to the prevention and combating of cybercrime, and are required in all areas, covering criminalization, procedural powers, jurisdiction, international cooperation, and Internet service provider responsibility and liability.

At the national level, cybercrime laws most often concern criminalization - establishing specialized offences for core cybercrime acts. Countries increasingly recognize the need, however, for legislation in other areas. Compared to existing laws, new or planned cybercrime laws more frequently address investigative measures, jurisdiction, electronic evidence, and international cooperation.

While both Samuel and Lewis stressed the importance of securing the Internet through binding international regulation, Gaycken framed doubts that this process might result effectively in the end of Internet privacy, a prospect not well received in Europe. He repeatedly stressed that strong economic interests by large Internet firms, such as Google, will prevent or significantly slow down the movement for global web regulation.

Clearly, establishing a worldwide regulatory framework for Internet security will require staying power, juridical skill and a strong belief in the need to protect both the integrity of vital Internet resources and the lives of those threatened by cyber insecurity.